SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Mambo Site Server Vendors:   Mamboserver.com
Mambo Site Server Content Management System Has Multiple Bugs That May Let Remote Users Gain Access to the Database
SecurityTracker Alert ID:  1005802
SecurityTracker URL:  http://securitytracker.com/id/1005802
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 4.0.11
Description:   Several vulnerabilities were reported in the Mambo Site Server content management system. A remote user can determine information about the system, conduct cross-site scripting attacks, and potentially gain access to the underlying database server.

It is reported that a remote user can request the following URL to obtain information about the PHP configuration and the system environment:

http://hostname/mambo/administrator/phpinfo.php

A remote user can also call 'index.php' with parameters that do not exist to cause the server to disclose the installation path. A demonstration exploit URL is provided:

http://hostname/mambo/index.php?Itemid=some_stuff

It is also reported that the 'search.php' script does not properly filter user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running Mambo Site Server and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A similar input validation flaw exists in the account registration 'Your name' field. If the administrator approves an article that the remote user has posted, then the scripting code in the name field will be executed on the target user's browser when the target user views the article.

According to the report, the default installation of the system uses a common default username ('admin') and password ('admin'). If the administrator fails to change these, a remote user may gain administrative access to the content management system.

Finally, if the administrator has installed phpMyAdmin and made the corresponding changes in 'configuration.php', then a remote user can access the underlying database without authentication using the following URL:

http://hostname/mambo/administrator/phpMyAdmin.php

Impact:   A remote user may be able to gain administrative access to the application if the default administrator password is not changed after installation.

A remote user can obtain information about the system configuration and system environment.

A remote user may be able to gain access to the underlying database.

A remote user can conduct cross-site scripting attacks to access the target user's cookies (including authentication cookies), if any, associated with the site running Mambo Site Server, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mamboserver.com/ (Links to External Site)
Cause:   Authentication error, Configuration error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Mambo Site Server sec-weaknesses


=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: Multiple Mambo Site Server sec-weaknesses
product: Mambo Site Server 4.0.11
vendor: http://sourceforge.org/projects/mambo
risk: high
date: 12/12/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory urls: http://f0kp.iplus.ru/bz/010.en.txt
               http://f0kp.iplus.ru/bz/010.ru.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

index
-----

1) php and system environment information
2) search.php xss
3) weak passwords allowed and account blocking
4) path disclosure
5) default administration credentials
6) suitable database access
7) script injecting via `Your name' field


description
-----------

1) php and system environment information

with mambo comming some common script, that use phpinfo()
function, that print many important information, include
full physical pathes, php settings and so on.. the script
is placed under mambos `administrator' directory.  

http://hostname/mambo/administrator/phpinfo.php


2) search.php xss

in search field of index page you can put any scripting 
code, and then it will interpreted by script above.


3) weak passwords allowed and account blocking

registration.php will allow to you choose the password
process you cannot use special chars (eg space char) as 
a password, but when you edit the your registered 
account and change password with one space char, then
you cannot login, becose script output error message:
`please complete username and password fields'. so, 
account was locked. 


4) path disclosure

if you call index.php with parameter, that not existent,
then you can see following error mesage:

====================================================
Fatal error: Maximum execution time of 30 seconds 
exceeded in /var/www/html/mambo/classes/database.php 
on line 30
====================================================

example url: 

http://hostname/mambo/index.php?Itemid=some_shit


5) default administration credentials

just after installation, mambo have a default account
for manage various site components.. it is a:

username: admin
password: admin

administration login page:  

http://hostname/mambo/administrator


6) suitable database access

if admin have installed phpMyAdmin and if he does make
corresponding changes in configuration.php, then you 
can to access database w/o any authorisation and with 
k-comfortable web-interface ))

http://hostname/mambo/administrator/phpMyAdmin.php 


7) script injecting via `Your name' field

within account register procedure you need to fill out
several fields, such as username, password, etc. 
in `Your name' field you can put any scripting code, 
that will interpreted every time, when some user will
read your articles, news, etc published via mambo site
server. but there is some problem: until admin doesnt 
check the your article, it was not published..


shouts: HACKRU Team, DWC, DHG, Spoofed Packet, HUNGOSH,
all russian security guyz!! to kate especially )) 
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC